Risk

What are the risks?

There are a number of risks to organisations from inappropriate usage of the Internet and e-mail. In this section you will find information on:

• The risk of liability
• The risk of viruses
• The risk to reputation
• Minimising risk

Liability

The term 'cyberliabilities' is relatively new, but is being used more and more to describe company liabilities in this area. These include:

• Racial or sexual discrimination and harassment
• Libel
• Misuse of personal information in breach of the Data Protection Act

There are many circumstances where directors and senior managers of companies can be held liable for the actions of their employees. They can also be held liable for not ensuring certain controls are in place for the prevention  of inappropriate usage.

Viruses

A virus infection can have a devastating effect on a company. Many infections start by the abuse of computer systems, either by accessing unsuitable sites on the Internet, or by opening suspecte-mail.

The Internet has rapidly become the most significant means through which viruses (and other malicious code) are spread. According to the CSI/FBI 2001 Computer Crime and Security Survey, 94% of respondents (mostly large US corporations) detected viruses in their incoming e-mails or Internet downloads.

Use the following link to the virus home page for a full list of resources, or read more about virus risks, recovery, prevention or a more detailed definition.

Reputation

It takes years to build a good reputation but just a few seconds to lose it.

There is no scientific way of demonstrating the negative effect on a company's reputation due to an information security incident or inappropriate usage. It is probable that the cumulative effect is greater than other more measurable ones, such as fines for breaching legislation or industry regulations.

Business partners, customers, suppliers and associates may well disassociate themselves from an organisation that is seen to have behaved inappropriately.

Potential employees may decide against joining such companies, and current employees may leave. The media may constantly remind their readership of a newsworthy, unwanted event.

Remember, companies are often liable for damage caused by the misuse of systems by staff, therefore the company's reputation is at stake if steps are not taken to prevent  inappropriate use.

How can risks be minimised?

Any organisation, irrespective of size, can take a few basic steps to minimise the risks from inappropriate usage.

Do you have the following?

• Appropriately configured virus defence software 
• A facility for checking, quarantining and managing e-mail attached files
• A way of checking who has accessed what site on the Internet
• A legal disclaimer automatically attached to outgoing e-mails
• A clear and unambiguous policy on e-mail and Internet use
• A means of communicating your policy to those who need it
• Awareness of legal implications for monitoring staff activity. This is a thorny issue that needs careful management

The BERR Information Security Breaches Survey 2008 found that levels of staff misuse of systems and data are lower than in the previous two surveys but this is still an area of concern. The most common forms of staff misuse are visiting inappropriate websites, excessive browsing and sending inappropriate email. If you answered NO to any of the above checklist then the 2008 Survey results will be of interest.